Are your security procedures failing to bite? Expert witness Peter
Sommer to shares his top 10 lessons in Internet security
Peter Sommer is one of the country's premier experts on computer
security. His expert opinion is regularly sought, and he is often
called upon as a witness to interpret failures in security for the
courts. Sommer was also a key adviser to the Department of Trade
and Industry Select Committee in its discussions on the
government's attempt to foster electronic commerce.
Sommer has identified 10 failure scenarios, where security is
critical, eight of which are management-related, the remaining two
of which are technical. The scenarios below are based on cases in
which Sommer has given evidence as an expert witness. Many of the
security breaches occurred in early attempts to drive business via
the web, where investment funds were plentiful but few companies,
in their rush to be first to market, gave much thought to their
security and business risks.
Management failings
Failure to realise that security is an integral part of the
service you are offering
Many companies set up in the last
two or three years to take advantage of the web revolution failed
to consider that offering suitable security around their offerings
was an integral part of the service. One financial services
company, a startup that was set up by people with considerable
experience in financial services and management consultancy, had
approached investors with the plan which ultimately said, 'We're
going to make lots of money.' Yet, in searching for insurance, they
had not managed to nail down any of the contracts on which their
services depended.
Unfortunately, having been given money on the basis of their
business plan - admittedly in heady times - they could hardly go
back to their investors and say the business plan wouldn't work
without insurance in place. But without insurance in place, they
couldn't trade. The entire venture was based on a flawed business
plan, with no consideration of risk.
Failure to include an adequate security budget in the initial
business plan
The failure discussed above could equally
apply to the security considerations of bricks-and-mortar companies
at any time. More and more dotcoms were set up in a culture of
speed, fuelled by rapid application development, and using products
such as FrontPage to get up and running quickly. Systems would be
based on two or three PCs, and could equally be up and running in
two or three weeks.
But security operates on the 10:90 rule, where the equipment
provides only 10% of the solution and the other 90% is provided by
the need to do adequate testing to ensure the products work
effectively. There is a world of difference in offering a service
to 500,000 customers as opposed to 50.
Companies fell into two categories: those that continued to offer
their services amid a catalogue of security scares, such as Egg;
and those that decided not to offer their services until they
believed their systems were sufficiently robust, such as Halifax,
which received unwelcome publicity as a result of pulling its
launch date.
Failure to allow sufficient time for testing for security
resilience
Many of these lessons have a knock-on effect.
Inadequate thinking time for security, followed by inadequate
budgeting, is likely to lead to inadequate testing. Because all
companies wanted to be first to market, their products were rarely
tested to breaking point. So, customers became the testers and the
services fell over, as you would expect if they were insufficiently
robust.
As traditional bricks-and-mortar companies have entered the market,
with brand names to protect and customer service to consider, the
services have become better tested. Occasionally, as in the recent
example involving the release of personal data from the Consumers
Association website, even the established names can get it
wrong.
Failure to understand the extent to which you are reliant
through outsourcing on third parties, with consequent
liabilities
The use of outsourcing and hosted services has
placed the onus on organisations to ensure that their offerings to
customers appear seamless, even if they are hosted elsewhere. The
customer will not care who is hosting the service; he or she just
believes it is the company they are using.
If you are using third parties to provide services, their security
has to be as robust as yours because the customer will hold you
responsible. If you are delivering via a third party to a customer,
and the order or the goods go missing, it is not the third party
who will be blamed by the customer, it is you.
Failure to design systems so they can collect evidence of what
is happening within them
In the systems of traditional
bricks-and-mortar companies, systems which have been built up over
years have a structure that enables them to capture evidence of the
history of transactions. In other words, there is an audit trail.
But in many e-commerce systems, this trail is lacking.
It all comes down to the confidence of the customer in the systems
they are using. If, because of inadequacy in the way a system is
designed, a customer's transactions are lost, there is a risk not
only of a ruined reputation, but also of litigation.
If the systems cannot capture an adequate trail, in other words
evidence of how the transaction was completed from stage to stage,
then the customer would be justified in having little confidence in
using it.
The trail should include elements such as emails sent to confirm
orders; even something as simple as an email confirming an order or
subsequent delivery is evidence of a well-designed system.
Failure to verify the CVs of those you employ, and to have a
monitoring scheme that will alert you to harmful
situations
The rise of the quickly built dotcom or even
bricks-and-mortar based e-commerce offerings has led to a worrying
rise in risks based on inadequate staff monitoring. Instead of IT
departments, where a series of psychological checks and balances
over staff are more likely to be in place, companies have taken on
very young staff, based on the skills they have. And because they
have the kind of web-based skills that other members of the IT
staff may lack, they have the power to do a lot of damage.
While older members of the technology staff may be known, and any
problems (drink, drugs, etc) spotted, the rise of quickly built
companies and systems gives less opportunity for those balances to
be in place. There is an onus on managers to know their staff and
to spot any changes in working habits before they learn the hard
way that the disaffected employee has hurt the business.
Failure to rely on the right sort of security
consultant
Ethical hacking or penetration-testing is
fashionable and, when done properly, can be useful. But there is
more to security than that. Ethical hacking is popular now, and has
become the 'sympathetic magic' approach to security. You might be
tempted to think that all your security worries have been resolved.
But you should remember that penetration-testing is just that -
penetration-testing. It's good to do it, and can be useful in
spotting some weaknesses. But there is still a need to do the
boring stuff, like put security policies in place.
Failure to have a contingency plan in place
If you have
a problem with your website providing e-commerce, or if there is an
inadvertent release of customer data, such as has occurred
recently, then you run the risk of a large number of enquiries.
There were a lot of unfavourable situations like these 12 months
ago, where some users were unable to access sites with their
browsers, while others had Internet Explorer with all the bells and
whistles. That led to a lot of calls to the helpdesk, which was
overwhelmed. And although many of the customer service had staff
using scripts to deal with queries, they were unable to solve every
problem. You have to plan for things to go wrong, and put
contingency plans in place to cope with them when they do.
Technical failings
Basing your system on products that have been released without
sufficient testing
Too many strategies for e-business have
been based on the latest whizzo technology that either has just
been released or is due for release. You may have a beta copy of
the latest application program, but it would be unwise to base your
business around it.
Unfortunately, in many cases, that is just what happens. The
'e-step product in a box' is more often a marketing concept than a
reality. Everybody is full of optimism that XYZ product will do the
trick, but you should stick to your business plan and base it on
tried and trusted technology, not on hype.
Not keeping up with the latest patches
The case of
19-year-old Welsh hacker, Raphael Gray, demonstrated that even
companies such as Microsoft can fall behind with adopting patches
to ensure their own systems are secure. Gray famously hacked into
Microsoft's systems through a weakness in Internet Information
Server 4 and sent its chairman, Bill Gates, some Viagra. You have
to keep up to date with the latest patches to cover security
weaknesses and put a system in place to ensure they are adopted
swiftly.